topic Re: alert in Firewall and Security Management

alert

tavi0906 — Tue, 28 May 2024 16:12:26 GMT

is there a way to notify the Admin about local user expiry using smtp?

Re: alert

Lesley — Tue, 28 May 2024 17:43:00 GMT

admin can get warning when they login. this is configured in Smart Console:

Configuring Default Expiration for Administrators

If you want to use the same expiration settings for multiple accounts, you can set the default expiration for administrator accounts. You can also choose to show notifications about the approaching expiration date at the time when an administrator logs into SmartConsole or one of the SmartConsole clients. The remaining number of days, during which the account will be alive, shows in the status bar.

To configure the default expiration settings:

Click Manage & Settings > Permissions & Administrators > Advanced.
Click Advanced.
In the Default Expiration Date section, select a setting:
- Never expires
- Expire at - Select the expiration date from the calendar control
- Expire after - Enter the number of days, months, or years (from the day the account is made) before administrator accounts expire
In the Expiration notifications section, select Show 'about to expire' indication in administrators view and select the number of days in advance to show the message about the approaching expiration date.
Publish the SmartConsole session.

I have never seen an option to send an e-mail regarding this. E-mails are more for system alerts and or if a firewall rules is being 'hit'.

Re: alert

tavi0906 — Thu, 30 May 2024 04:00:08 GMT

This is an existing setup with an Active (A) / Passive (B) configuration. Since we have no access to the Active Firewall (A) due to all local accounts expiring without notifications, we are planning to initiate a failover via SmartConsole. Is this the best approach instead of disconnecting physical connections?

After failover, we will conduct account recovery (referencing sk163461) for the Active Firewall (A). Alternatively, is there a way to modify the expired local user account from Firewall (B) after the failover?

Re: alert

PhoneBoy — Thu, 30 May 2024 13:00:43 GMT

Assuming this is a ClusterXL cluster, members would likely be expired on the passive also since this is all set on the management.
And what precise accounts are we talking about here? Gaia OS user accounts? VPN User accounts? Admin accounts?

Re: alert

tavi0906 — Thu, 30 May 2024 13:20:57 GMT

Yes, this is clusterXL . we can able to login to standby firewall. we are talking about admin accounts and GAIA OS user accounts.

how can we recover the all accounts on active one ? and can we change the priority of standby in smart console to become active one ?

Re: alert

Bob_Zimmerman — Thu, 30 May 2024 14:09:16 GMT

Are these firewalls plus management servers, or just firewalls?

If they are just firewalls, do you have access to the command line of the management server which manages them?

If so, you may be able to use this to run commands on the firewall:

cprid_util -verbose -server "<firewall address>" rexec -rcmd <some command here>

Replace <firewall address> with the main IP address of the cluster member where you want to run the command. For example, this would add a new administrative user to a firewall (or cluster member) with the main IP 10.20.30.40:

cprid_util -verbose -server "10.20.30.40" rexec -rcmd clish -s -c "add user someNewUser uid 0 homedir /home/someNewUser"

If the returned data includes "(NULL BUF)", that means the management couldn't connect to CPRID on the firewall or member.

Re: alert

tavi0906 — Thu, 30 May 2024 16:24:31 GMT

Is there any sk which shows the above procedure. if yes, please share.

And also can we follow this https://support.checkpoint.com/results/sk/sk106490 to reset the password ?